Secure CA Gateway

1
Secure CA Gateway

• EPICS meeting at SLAC
• April 26, 2005
• N. Yamamoto

2
GAN operation scenario
LOCAL Control
Remote Control
Remote Control
3
Access to a control system from outside of Lab.

• Allow safe access from outside of lab.
• Safe connection to hosts in the control system.
• VLAN
• Dedicated Line
• SSH tunnel from the Internet
• login to one of CPU in control system.
• Once user login to the hosts, it is difficult to
  distingush access from outside and access from
  inside lab.
• Allow user to use same tools on there PC/NB.
• Secure CA
• identificationPKI
• secure connection SSL
• Access priviledge management
• Enhance CA gateway to support secure
  connectionSecure CA Gateway

4
Secure CA Gateway
Internet

• Use PKI to identify and authenticate the user
• Use SSL for secure connection
• Access control management system have to be
  implemented
• description of
• Assume access from the inside hosts are safe.

AccessDB
Management ServerGW
LAN
ASG
5
Keypoints for secure CA GW

• flexibility
• Allow to introduce new context.
• transparency
• Can be introduced without large modification to
  existing system.
• security
• Must be secure under remote operation
  environment.
• performance
• Keep there performance. or Take a balance with
  Flexibility, Transparency, security

6
We need to modify...

• CA client library
• Authetification on opening the connection to the
  server
• SSL support
• Gateway
• authentication using PKI
• SSL support
• Access to privilege control database
• QueryChannel name and PKI identification, (and
  access point), as a key.
• Configuration
• Change configuration dynamically
• reserve a set of channels for a particular
  user/group for modification.